Enabling PKGSRC_MKPIE by default

To: tech-pkg%netbsd.org@localhost
Subject: Enabling PKGSRC_MKPIE by default
From: Pierre Pronchery <khorben%defora.org@localhost>
Date: Sat, 28 Oct 2017 02:19:56 +0200

			Hi tech-pkg@,

with NetBSD 8 around the corner, enabling PaX ASLR *and* REPRO by
default, it becomes *very* important to provide PIE binaries for the
whole system (base and packages). Without this, the binaries generated
are meant to be identical for everyone, and memory offsets fixed across
the entire user-base per architecture: a paradise for exploits.

The good news is that I just found a couple issues with PKGSRC_MKPIE in
the cwrappers, and could come up with a corresponding patch (attached).
While I let Joerg review it (as trivial as it seems to be), I would like
to ask if I can flip the switch once that patch committed, so that we
can find as much as possible of the remaining fallout soon, and 2017Q4
ships with PKGSRC_MKPIE enabled by default.

It will only be the case where known supported, which is only
NetBSD/amd64 and NetBSD/i386 for the moment. I also welcome any help
testing it further! :)

Thoughts?

Cheers,
-- 
khorben

Index: files/bin/common.h
===================================================================
RCS file: /cvsroot/pkgsrc/pkgtools/cwrappers/files/bin/common.h,v
retrieving revision 1.7
diff -p -u -r1.7 common.h
--- files/bin/common.h	27 Oct 2017 20:59:59 -0000	1.7
+++ files/bin/common.h	27 Oct 2017 22:53:53 -0000
@@ -50,6 +50,8 @@ enum operation_mode {
 	mode_assemble,
 	mode_compile,
 	mode_link_executable,
+	mode_link_omagic,
+	mode_link_relocatable,
 	mode_link_shared
 };
 extern enum operation_mode current_operation_mode;
Index: files/bin/normalise-ld.c
===================================================================
RCS file: /cvsroot/pkgsrc/pkgtools/cwrappers/files/bin/normalise-ld.c,v
retrieving revision 1.3
diff -p -u -r1.3 normalise-ld.c
--- files/bin/normalise-ld.c	11 Jun 2017 19:34:43 -0000	1.3
+++ files/bin/normalise-ld.c	27 Oct 2017 22:53:53 -0000
@@ -44,6 +44,16 @@ operation_mode_ld(struct arglist *args)
 	TAILQ_FOREACH(arg, args, link) {
 		if (arg->val[0] != '-')
 			continue;
+		if (strcmp(arg->val, "-N") == 0 ||
+		    strcmp(arg->val, "--omagic") == 0) {
+			current_operation_mode = mode_link_omagic;
+			continue;
+		}
+		if (strcmp(arg->val, "-r") == 0 ||
+		    strcmp(arg->val, "--relocatable") == 0) {
+			current_operation_mode = mode_link_relocatable;
+			continue;
+		}
 		if (strcmp(arg->val, "-shared") == 0 ||
 		    strcmp(arg->val, "-Bshareable") == 0) {
 			current_operation_mode = mode_link_shared;

Follow-Ups:
- Re: Enabling PKGSRC_MKPIE by default
  - From: Greg Troxel

Prev by Date: Re: Assembling with as(1) from cwrappers
Next by Date: daily pkgsrc CVS update output
Previous by Thread: Assembling with as(1) from cwrappers
Next by Thread: Re: Enabling PKGSRC_MKPIE by default
Indexes:

Home | Main Index | Thread Index | Old Index